January 17, 2019 


The Honorable Toni Atkins 
Senate President Pro Tempore 
State Capitol, Room 205 

The Honorable Patricia Bates 
Senate Minority Leader 
State Capitol, Room 305 

The Honorable Anthony Rendon 
Assembly Speaker 
State Capitol, Room 219 

The Honorable Marie Waldron 
Assembly Republican Leader 
State Capitol, Room 3104 

Dear Senators and Assemblymembers: 

We are California-licensed or -based privacy lawyers, professionals, and law professors. We 
write to express our concerns about the California Consumer Privacy Act (“CCPA”) and its 
urgent need for major changes. This letter highlights six areas warranting extra consideration as 
the California legislature endeavors to improve the law. This is not a comprehensive or detailed 
list of all desirable changes to the CCPA, but we would be happy to work with you or your staff 
to develop such a list or provide more specifics about our concerns. 

1) Application to Stakeholders Who Did Not Provide Input. Most US privacy laws are 
“sectoral-based,” i.e., they are optimized for the needs of specific industries. In contrast, the 
CCPA applies across all industries, with only limited exceptions. Because of the CCPA’s rushed 
approval process, the California legislature did not hear from thousands of different industries 
affected by the CCPA. The CCPA will likely need many changes to properly accommodate this 
wide range of industries. As the legislature works to improve the CCPA, it would be beneficial to 
conduct the kind of broad-based fact gathering from multiple constituencies that the legislature 
normally does when evaluating a major law. 

2) Compliance Costs for Small Businesses. The CCPA unsuccessfully tried to exclude small 
businesses from its requirements. The definition of “business” likely reaches many small 
businesses, including low-margin retail businesses that store 137 unique credit cards a day and 
tiny ad-supported websites/blogs that get only 137 unique visitors per day. These businesses 
cannot afford the CCPA’s substantial compliance costs, so they may either ignore the law or exit 
the market. To avoid these undesirable results, the CCPA should increase its compliance 
thresholds or scale compliance obligations to business size (or similar proxies). 

3) Inconsistencies with the GDPR. Many California businesses recently spent a lot of money 
on GDPR compliance. Substantial differences between the GDPR and CCPA will impose a new 
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and expensive round of compliance work on those businesses. Worse, those extra expenses 
probably will not incrementally enhance California consumers’ privacy. The legislature could 
help by harmonizing the CCPA and the GDPR to eliminate the need for two different 
compliance programs; or by providing a CCPA safe harbor for GDPR-compliant businesses. 

4) The CCPA Counterproductively Undermines Consumer Privacy. Several provisions of 
the CCPA potentially undermine consumer privacy. For example, the law still seems to 
mistakenly require businesses to publicly disclose consumers’ private data (1798.110(c)(5)). 

More generally, to enable the required access, erasure, and portability of personal information, 
businesses may need to make all of their data identifiable, even data they would prefer to store in 
non-identifiable ways. 

Furthermore, several well-publicized incidents have demonstrated how the GDPR’s access and 
data portability mechanisms expose consumers to additional risks of disclosure to malicious 
hackers or third parties. The CCPA’s data access and portability provisions create similar risks. 
To avoid this unwanted result, businesses—at substantial expense—try to confirm requestors’ 
identities, which counterproductively may require the businesses to collect more personal 
information from consumers. As a result, the CCPA’s data access, erasure, and portability 
provisions should be calibrated to ensure they enhance, rather than reduce, consumer privacy. 

5) Overbroad Definitions. The definitions are the CCPA’s foundation, and their clarity will 
dictate the law’s success or failure. Numerous statutory definitions are overbroad, imprecise, or 
simply unhelpful. Without amendment, they will cause substantial confusion and compliance 
hardships. We have already mentioned the miscalibrated definition of “business.” Other 
examples include: 

• The definition of “consumer” problematically extends to company employees and 
business-to-business contacts. 

• The definition of “personal information” has numerous problems. Most importantly, it 
applies to data that no consumer would ever consider identifiable. Also, some specific 
examples of personal infonnation, such as “thermal” and “olfactory” information, are 
nonsensical, as is the current scope and treatment of “publicly available” information. 

• The repeated references to “households”—a concept not in the GDPR—unhelpfully 
expands the definition of one person’s “personal information” to reach data about other 
people. It also means that a business’ data practices towards one person can affect other 
people in unexpected and potentially unwanted ways. 

• The definition of “sale” does not clarify when data transfers or sharing are done for 
“valuable consideration,” a question of critical importance to many California businesses. 

• The definitions of “service provider” and “third party” are unclear, and they diverge from 
the GDPR’s definitions of data controllers and data processors. Furthennore, the two 
definitions leave open some key gaps, such as the treatment of non-profit vendors. 

6) Extraterritorial Reach. The CCPA purports to reach activity outside of California. Two 
examples: 
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* the law claims to regulate businesses with no nexus with California other than being affiliates 
of California-based businesses. 

* the thresholds for a regulated “business” apparently count non-Califomia-based activities. For 
example, the $25M threshold equally applies to businesses that receive all revenues from 
California residents and businesses that receive only $ 1 of revenue from California residents. If 
so, a business without any ties to California must comply with the CCPA (at substantial expense) 
the moment it accepts a single dollar from a California resident. 

The CCPA’s purported application to activity outside of California raises substantial 
Constitutional concerns and potentially exposes the state to expensive and distracting litigation. 
More importantly, it causes tremendous uncertainty and possibly wasted expenditures for 
businesses without real ties to California. The legislature should clarify the CCPA’s applicability 
to activities outside California. 


H= * * 

Everyone has acknowledged that the CCPA remains a work-in-progress, but there may be some 
misapprehensions about the scope and scale of the required changes still remaining. In our view, 
the CCPA needs many substantial changes before it becomes a law that truly benefits California. 
We appreciate your work on these important matters. 

Regards, 


Professor Eric Goldman 
Co-Director, High Tech Law Institute 
Co-Supervisor, Privacy Law Certificate 
Santa Clara University School of Law 
500 El Camino Real 
Santa Clara, CA 95053 
408-554-4369 
egoldman@gmail.com 

.. .on behalf of himself and the signatories listed on the subsequent page. All signatories are 
signing as individuals and not on behalf of their employers; any listed affiliations are for 
identification purposes only. 
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Signatories: 


Heather A. Antoine 

Mania Aslan, CIPP/US, CIPP/E, CIPM 
Mila Balke 

Deepali Brahmbhatt, One LLP and CIPP/US 
Rafae Bhatti, CIPP/US, CIPM 
Alan Chapell, Chapell & Associates and CIPP/US 
Allison Cohen, Loeb & Loeb and CIPP/US 
Brendan Comstock, CIPP/US 

Tanya Lorsheit, Frankfurt Kumit Klein & Selz and CIPP/US, CIPT 
Also: Adjunct Professor, Loyola Law School 
Alan L. Lriel, BakerHostetler and CIPP/US, CIPM 
Also: Adjunct Professor, Loyola Law School 
Elizabeth Fu, CIPP/US 
Cathy Gellis 

Daniel Goldberg, Fra nk furt Kurnit Klein & Selz and CIPP/US 

Mike Godwin 

Porscha Guasch, CIPP/US 

Ganka Hadjipetrova, CIPP/US, CIPM 

Michael Hellbusch, Rutan & Tucker and CIPP/US, CIPP/E, CIPM 

Deborah Shinbein Howitt, Lewis Bess Williams & Weese and CIPP/US 

Lily Lei Kang, CIPP/US 

Bennet Kelley, Internet Law Center 

Irene Koulouris, CIPP/US 

Amy Lawrence, Fra nk furt Kumit Klein & Selz and CIPP/US 

Letitia Lee, CIPP/US 

Christine Lyon, Morrison & Foerster 

Olivia Manning, CIPP/US, CIPM 

Jess Miers, CIPP/US 

Chiara Portner, Hopkins & Carley, CIPP/US 

Hannah Poteat, CIPP/US 

Kristie D. Prinz 

Kristen Psaty, CIPP/US 

Michael G. Rhodes, Cooley LLP 

Andra Robinson 

Michael Scapin, CIPP/US 

Andrew Serwin, Morrison & Foerster and CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM 
Berin Szoka 

Brent Tuttle, CIPP/US, CIPP/E, CIPT 

Pamela C. Vavra, Pamela C. Vavra Law Offices 

Sophia Vogt, CIPP/US 

Charlie Vuong, CIPP/US 

Randy Wilson, CIPP/US, CIPP/EU, CIPM 
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